Simple Page Options Module for Joomla! contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the modules/mod_spo/email_sender.php script not properly sanitizing user input, specifically directory traversal style attacks (e.g., ../../) supplied to the 'spo_site_lang' parameter. This may allow an attacker to include a file from the targeted host that contains arbitrary commands or code that will be executed by the vulnerable script. Such attacks are limited due to the script only calling files already on the target host. In addition, this flaw can potentially be used to disclose the contents of any file on the system accessible by the web server.

Even though the vulnerable code is supposed to only be vulnerable to Local File Inclusion (LFI) attacks, tt appears that the attacker is also attempting Remote File Inclusion (RFII) attacks as well.